diff options
Diffstat (limited to '.github/workflows/trustedPR.yml')
| -rw-r--r-- | .github/workflows/trustedPR.yml | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/.github/workflows/trustedPR.yml b/.github/workflows/trustedPR.yml new file mode 100644 index 000000000..d45bfeb11 --- /dev/null +++ b/.github/workflows/trustedPR.yml @@ -0,0 +1,58 @@ +# Modelled after https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +name: Post PR Suggestions + +on: + workflow_run: + workflows: ["PR Suggestions"] + types: + - completed + +jobs: + comment: + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: unzip pr.zip + + - uses: actions/github-script@v4 + with: + script: | + const { promises: fs } = require('fs') + const event = (await fs.readFile('event', 'utf8')).trim() + const body = (await fs.readFile('body', 'utf8')).trim() + const issue_number = Number(await fs.readFile('./NR')); + + var req = { + owner: context.repo.owner, + pull_number: issue_number, + repo: context.repo.repo, + event: event + }; + if (body !== "") { + req.body = body; + } + await github.pulls.createReview(req); |